From 845879b6cd11547dbb2155d806570b54fb086c05 Mon Sep 17 00:00:00 2001
From: fortiz <github@systemkaiser.de>
Date: Tue, 3 May 2022 17:36:47 +0200
Subject: [PATCH] chore(merge): add tests for "__proto__" key (#38)

* fixed issue#33 CVE-2022-25645 added test for it

* Apply suggestions from code review

Co-authored-by: Timo Machel <timo-benjamin.machel@deutschebahn.com>
Co-authored-by: Luke Edwards <luke.edwards05@gmail.com>
---
 test/suites/pollution.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/test/suites/pollution.js b/test/suites/pollution.js
index 2bca8dd..bf47756 100644
--- a/test/suites/pollution.js
+++ b/test/suites/pollution.js
@@ -85,5 +85,15 @@ export default function (dset) {
 		});
 	});
 
+	// Test for CVE-2022-25645 - CWE-1321 
+	pollution('should ignore JSON.parse crafted object with "__proto__" key', () => {
+		let a = { b: { c: 1 } };
+		assert.is(a.polluted, undefined);
+		assert.is({}.polluted, undefined);
+		dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}'));
+		assert.is(a.polluted, undefined);
+		assert.is({}.polluted, undefined);
+	});
+
 	pollution.run();
 }